Defensive security audit toolkit for Next.js + Supabase + Vercel projects.
SecurityVibe is an open-source documentation archive and testing framework for security reviews, code reviews, configuration reviews, hardening, and authorized penetration testing of applications built with:
- Next.js App Router & React Server Components
- Supabase Auth, Database, Storage, Realtime
- Vercel Deploy, Preview, Edge & Serverless
- Tailwind CSS (and common adjacent tooling)
Defensive only. This project covers attack vectors, bug classes, misconfigurations, detection patterns, and mitigations. It does not include payloads, PoCs, operational bypass instructions, or weaponization guidance.
- Security engineers running structured reviews
- Full-stack developers hardening their own stack
- AI coding agents performing evidence-based audits
- Teams preparing for production launch or compliance checks
-
Clone or copy this repository into your workflow (or reference it as a submodule).
-
Read Getting Started and Audit Workflow.
-
Run the Version and Advisory Gate first: docs/categories/01-version-advisory-gate.md.
-
Execute detection scripts against your target project:
# Unix / macOS / Linux / Git Bash ./scripts/inventory.sh /path/to/your-project # Windows PowerShell ./scripts/inventory.ps1 -ProjectPath C:\path\to\your-project
-
Work through audit categories in order (see docs/README.md).
-
Record findings using templates/finding.md.
-
Use prompts/ with AI agents — one category at a time.
SecurityVibe/
├── docs/ # Full audit methodology and category guides
├── checklists/ # Printable / copy-paste audit checklists
├── prompts/ # AI agent prompts (defensive, evidence-based)
├── templates/ # Finding and executive report templates
├── scripts/ # ripgrep-based detection helpers
├── sql/ # Supabase/Postgres RLS audit queries
├── references/ # Verified external sources
└── .github/ # Issue and PR templates
| Step | Category | Doc |
|---|---|---|
| 0 | Version & Advisory Gate | 01-version-advisory-gate |
| 1 | Project inventory | 02-project-inventory |
| 2 | Supabase Auth & SSR | 03-supabase-auth |
| 3 | RLS & multi-tenant | 04-rls-multi-tenant |
| 4 | Storage & upload | 05-storage-upload |
| 5 | Server Actions | 06-server-actions |
| 6 | Route Handlers & API | 07-route-handlers-api |
| 7 | RSC, cache & data security | 08-rsc-cache-data-security |
| 8 | Middleware & routing | 09-middleware-routing |
| 9 | Cache, CDN & images | 10-cache-cdn-image |
| 10 | Vercel deployment | 11-vercel-deployment |
| 11 | Realtime | 12-realtime |
| 12 | XSS, CSP & frontend | 13-xss-csp |
| 13 | SSRF & outbound requests | 14-ssrf-outbound |
| 14 | DoS & cost control | 15-dos-cost-control |
| 15 | Supply chain & secrets | 16-supply-chain |
| 16 | AI/LLM (if applicable) | 17-ai-llm |
| 17 | Dashboard checks | 18-dashboard-checks |
| 18 | Regression test suite | 19-regression-test-suite |
| 19 | CSRF, CORS & cross-origin | 20-csrf-cors |
| 20 | Secrets & key management | 21-secrets-management |
| 21 | Supabase Edge Functions | 22-supabase-edge-functions |
| 22 | Logging & monitoring | 23-logging-monitoring |
| 23 | Account takeover & identity | 24-account-takeover |
| 24 | Postgres extensions & pg_graphql | 25-postgres-extensions |
| 25 | Security headers & cookies | 26-security-headers-cookies |
| 26 | Business logic & IDOR | 27-business-logic-idor |
| 27 | Email infrastructure (SPF/DKIM/DMARC) | 28-email-infrastructure |
| 28 | Compliance & audit tables | 29-compliance-audit-tables |
| 29 | PostgREST info disclosure | 30-postgrest-info-disclosure |
- Retest playbook template — verify fixes after an audit (PASS/FAIL)
- Next.js / React CVE & advisory catalog
- OWASP mapping (Top 10 / API / LLM)
- Incident patterns (defensive case studies)
See docs/severity.md for severity definitions and recommended SLAs.
If you use Cursor, Copilot, Claude Code, or similar tools, read AGENTS.md before running category prompts. Agents must produce evidence-based findings with file paths and line numbers — never invented issues.
Contributions welcome. See CONTRIBUTING.md and CODE_OF_CONDUCT.md.
Copyright © 2026 bnistor4. All rights reserved where applicable. Released under the MIT License.
This toolkit is for authorized security assessment and defensive hardening only. You are responsible for obtaining proper permission before testing any system you do not own or operate.